Configuring Google Cloud Identity-Aware Proxy (IAP) to enforce per-request identity verification for Compute Engine, App Engine, Cloud Run, and GKE services using access levels, context-aware policies, and programmatic access with service accounts.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionconfiguring-identity-aware-proxy-with-google-iapExecute the skills CLI command in your project's root directory to begin installation:
Fetches configuring-identity-aware-proxy-with-google-iap from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate configuring-identity-aware-proxy-with-google-iap. Access via /configuring-identity-aware-proxy-with-google-iap in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | configuring-identity-aware-proxy-with-google-iap |
| description | 'Configuring Google Cloud Identity-Aware Proxy (IAP) to enforce per-request identity verification for Compute Engine, App Engine, Cloud Run, and GKE services using access levels, context-aware policies, and programmatic access with service accounts. ' |
| domain | cybersecurity |
| subdomain | zero-trust-architecture |
| tags | - google-iap - identity-aware-proxy - gcp - zero-trust - access-context-manager - cloud-run - app-engine |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.AA-01 - PR.AA-05 - PR.IR-01 - GV.PO-01 |
Do not use for non-HTTP applications that cannot be placed behind an HTTPS load balancer, for public-facing applications that need unauthenticated access, or when applications handle their own authentication and IAP would conflict with existing auth flows.
gcloud services enable iap.googleapis.com)Configure IAP for different GCP compute platforms.
# Enable required APIs
gcloud services enable iap.googleapis.com
gcloud services enable accesscontextmanager.googleapis.com
# Create OAuth consent screen
gcloud iap oauth-brands create \
--application_title="Internal Applications" \
[email protected]
# Create OAuth client
gcloud iap oauth-clients create \
projects/PROJECT_ID/brands/BRAND_ID \
--display_name="IAP Web Client"
# === Enable IAP on Compute Engine Backend Service ===
gcloud compute backend-services update my-backend-service \
--iap=enabled,oauth2-client-id=CLIENT_ID,oauth2-client-secret=CLIENT_SECRET \
--global
# === Enable IAP on App Engine ===
gcloud iap web enable \
--resource-type=app-engine \
--oauth2-client-id=CLIENT_ID \
--oauth2-client-secret=CLIENT_SECRET
# === Enable IAP on Cloud Run ===
# First grant IAP service account the Cloud Run Invoker role
gcloud run services add-iam-policy-binding my-service \
--member="serviceAccount:[email protected]" \
--role="roles/run.invoker" \
--region=us-central1
# Enable IAP on the Cloud Run backend service
gcloud compute backend-services update my-cloud-run-backend \
--iap=enabled,oauth2-client-id=CLIENT_ID,oauth2-client-secret=CLIENT_SECRET \
--global
# === Enable IAP TCP Forwarding for SSH/RDP ===
# No load balancer needed - uses IAP tunnel
gcloud compute instances add-iam-policy-binding my-vm \
--member="group:[email protected]" \
--role="roles/iap.tunnelResourceAccessor" \
--zone=us-central1-a
# SSH through IAP tunnel
gcloud compute ssh my-vm --zone=us-central1-a --tunnel-through-iap
# RDP through IAP tunnel
gcloud compute start-iap-tunnel my-windows-vm 3389 \
--local-host-port=localhost:3390 \
--zone=us-central1-a
Grant access to specific users and groups with optional access level conditions.
# Grant basic access to a group
gcloud iap web add-iam-policy-binding \
--resource-type=backend-services \
--service=my-backend-service \
--member="group:[email protected]" \
--role="roles/iap.httpsResourceAccessor"
# Grant access with access level condition
gcloud iap web add-iam-policy-binding \
--resource-type=backend-services \
--service=finance-app \
--member="group:[email protected]" \
--role="roles/iap.httpsResourceAccessor" \
--condition='expression=request.auth.access_levels.exists(x, x == "accessPolicies/POLICY_ID/accessLevels/corporate-device"),title=RequireCorporateDevice,description=Requires managed corporate device'
# Grant access only during business hours
gcloud iap web add-iam-policy-binding \
--resource-type=backend-services \
--service=admin-console \
--member="group:[email protected]" \
--role="roles/iap.httpsResourceAccessor" \
--condition='expression=request.time.getHours("America/New_York") >= 8 && request.time.getHours("America/New_York") <= 18 && request.time.getDayOfWeek("America/New_York") >= 1 && request.time.getDayOfWeek("America/New_York") <= 5,title=BusinessHoursOnly'
# Grant access to a specific URL path
gcloud iap web add-iam-policy-binding \
--resource-type=backend-services \
--service=internal-api \
--member="group:[email protected]" \
--role="roles/iap.httpsResourceAccessor" \
--condition='expression=request.path.startsWith("/api/v2/"),title=APIv2Access'
Define context-based access requirements using device attributes and network conditions.
# Create access level requiring encrypted corporate device
cat > managed-device.yaml << 'EOF'
- devicePolicy:
allowedEncryptionStatuses:
- ENCRYPTED
osConstraints:
- osType: DESKTOP_WINDOWS
minimumVersion: "10.0.19045"
- osType: DESKTOP_MAC
minimumVersion: "14.0"
- osType: DESKTOP_CHROME_OS
requireScreenlock: true
requireAdminApproval: true
allowedDeviceManagementLevels:
- ADVANCED
EOF
gcloud access-context-manager levels create managed-device \
--policy=POLICY_ID \
--title="Managed Device" \
--basic-level-spec=managed-device.yaml
# Create access level for corporate network
cat > corp-network.yaml << 'EOF'
- ipSubnetworks:
- "203.0.113.0/24"
- "198.51.100.0/24"
regions:
- US
- GB
EOF
gcloud access-context-manager levels create corp-network \
--policy=POLICY_ID \
--title="Corporate Network" \
--basic-level-spec=corp-network.yaml
# Create custom access level using CEL for complex logic
cat > high-trust.yaml << 'EOF'
expression: >
device.encryption_status == DeviceEncryptionStatus.ENCRYPTED &&
device.is_admin_approved_device == true &&
(
origin.ip in ["203.0.113.0/24"] ||
device.os_type == OsType.DESKTOP_CHROME_OS
) &&
request.auth.claims.hd == "company.com"
EOF
gcloud access-context-manager levels create high-trust \
--policy=POLICY_ID \
--title="High Trust" \
--custom-level-spec=high-trust.yaml
Set session duration and re-authentication policies per application.
# Configure re-authentication for a backend service
# Requires login every 4 hours for sensitive apps
gcloud iap settings set \
--project=PROJECT_ID \
--resource-type=compute \
--service=finance-app \
reauthSettings.method=LOGIN \
reauthSettings.maxAge=14400s \
reauthSettings.policyType=MINIMUM
# Configure session settings for App Engine
gcloud iap settings set \
--project=PROJECT_ID \
--resource-type=app-engine \
reauthSettings.method=SECURE_KEY \
reauthSettings.maxAge=3600s \
reauthSettings.policyType=MINIMUM
# View current IAP settings
gcloud iap settings get \
--project=PROJECT_ID \
--resource-type=compute \
--service=finance-app
Enable service-to-service communication through IAP-protected endpoints.
#!/usr/bin/env python3
"""Access IAP-protected resource using service account credentials."""
import google.auth
import google.auth.transport.requests
from google.auth import impersonated_credentials
import requests as req
IAP_CLIENT_ID = "YOUR_IAP_OAUTH_CLIENT_ID.apps.googleusercontent.com"
IAP_URL = "https://my-app.company.com/api/data"
def access_iap_resource():
# Get default credentials (works with service account key or workload identity)
credentials, project = google.auth.default()
# Create IAP-authenticated request
authed_session = google.auth.transport.requests.AuthorizedSession(
credentials,
target_audience=IAP_CLIENT_ID
)
# Make request to IAP-protected resource
response = authed_session.get(IAP_URL)
print(f"Status: {response.status_code}")
print(f"Response: {response.text[:500]}")
return response
if __name__ == "__main__":
access_iap_resource()
Configure logging for all IAP access decisions.
# Enable data access audit logs for IAP
gcloud projects get-iam-policy PROJECT_ID --format=json > policy.json
# Add IAP audit config to policy.json:
# {
# "service": "iap.googleapis.com",
# "auditLogConfigs": [
# {"logType": "ADMIN_READ"},
# {"logType": "DATA_READ"},
# {"logType": "DATA_WRITE"}
# ]
# }
gcloud projects set-iam-policy PROJECT_ID policy.json
# Create log-based metric for denied access
gcloud logging metrics create iap-denied-access \
--description="Count of IAP access denials" \
--log-filter='resource.type="gce_backend_service" AND protoPayload.status.code=16'
# Create alerting policy for high denial rates
gcloud alpha monitoring policies create \
--display-name="IAP High Denial Rate" \
--condition-display-name="Denied access > 50 in 5 min" \
--condition-filter='metric.type="logging.googleapis.com/user/iap-denied-access"' \
--condition-threshold-value=50 \
--condition-threshold-duration=300s \
--notification-channels=projects/PROJECT_ID/notificationChannels/CHANNEL_ID
# Query IAP access logs
gcloud logging read '
resource.type="gce_backend_service"
protoPayload.serviceName="iap.googleapis.com"
timestamp >= "2026-02-22T00:00:00Z"
' --project=PROJECT_ID --format='table(timestamp,protoPayload.authenticationInfo.principalEmail,protoPayload.status.code,resource.labels.backend_service_name)' --limit=50
| Term | Definition |
|---|---|
| Identity-Aware Proxy | GCP service that intercepts web requests and TCP connections, authenticating users and evaluating access policies before proxying to backend services |
| Backend Service | GCP load balancer component that IAP protects; can serve Compute Engine instances, GKE pods, Cloud Run services, or App Engine |
| IAP Tunnel | Secure TCP tunnel through IAP allowing SSH, RDP, and other TCP access to VMs without public IPs or VPN |
| OAuth Consent Screen | GCP configuration specifying the application name and support email shown to users during IAP authentication |
| Access Level | Named condition in Access Context Manager evaluated during IAP authorization (device posture, IP, geography) |
| Re-authentication | IAP feature requiring users to prove their identity again after a configurable session duration |
Context: An e-commerce company runs 15 internal services on GKE and Cloud Run (admin dashboards, internal APIs, monitoring tools). Currently, these services are protected only by VPN and firewall rules, creating excessive network-level access.
Approach:
Pitfalls: IAP adds 10-50ms latency per request; test application performance. WebSocket connections through IAP require specific backend service configuration. Service-to-service calls within GKE should bypass IAP using internal service mesh, not external IAP endpoints. Break-glass access should use a separate IAM binding without access level conditions.
Google Cloud IAP Configuration Report
==================================================
Project: ecommerce-internal
Report Date: 2026-02-23
IAP-PROTECTED SERVICES:
Backend Services: 12
App Engine: 1
Cloud Run: 2
IAP TCP Tunnels: 4 (SSH access)
Total: 19
ACCESS CONTROL:
IAM Bindings: 34
With Access Levels: 18 (52.9%)
Access Levels: 3 (managed-device, corp-network, high-trust)
SESSION POLICIES:
Admin tools: 4h re-auth (SECURE_KEY)
Sensitive apps: 4h re-auth (LOGIN)
General tools: 8h re-auth (LOGIN)
ACCESS LOGS (last 24h):
Total requests: 23,456
Authenticated: 23,289 (99.3%)
Denied by IAM: 112
Denied by access level: 55
Unique users: 134
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
configuring-identity-aware-proxy-with-google-iap fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
configuring-identity-aware-proxy-with-google-iap is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
Registry listing for configuring-identity-aware-proxy-with-google-iap matched our evaluation — installs cleanly and behaves as described in the markdown.
Useful defaults in configuring-identity-aware-proxy-with-google-iap — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
Keeps context tight: configuring-identity-aware-proxy-with-google-iap is the kind of skill you can hand to a new teammate without a long onboarding doc.
configuring-identity-aware-proxy-with-google-iap is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
configuring-identity-aware-proxy-with-google-iap fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
configuring-identity-aware-proxy-with-google-iap reduced setup friction for our internal harness; good balance of opinion and flexibility.
I recommend configuring-identity-aware-proxy-with-google-iap for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
We added configuring-identity-aware-proxy-with-google-iap from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
showing 1-10 of 62